When a user logs on (including with RunAs), the system creates a new token for the user, determining at that time what groups the user is a member of and which privileges the user should have. Once a token is created, one can#%92t add or (generally) remove any groups or privileges from the token.